13 years ago · 7d6667db23
--- a/src/lib/datasrc/database.cc
+++ b/src/lib/datasrc/database.cc
@@ -450,7 +450,8 @@ DatabaseClient::Finder::findDelegationPoint(const isc::dns::Name& name,
 
				     const size_t remove_labels = name.getLabelCount() - origin_label_count;
			
 
				 
			
 
				     // Go through all superdomains from the origin down searching for nodes
			
 
				-    // that indicate a delegation (.e. NS or DNAME).
			
 
				+    // that indicate a delegation (.e. NS or DNAME).  Note that we only check
			
 
				+    // pure superdomains; delegation on an exact match will be detected later.
			
 
				     for (int i = remove_labels; i > 0; --i) {
			
 
				         const Name superdomain(name.split(i));
			
 
				 
			
@@ -810,12 +811,14 @@ DatabaseClient::Finder::findOnNameResult(const Name& name,
 
				     const FoundIterator cni(found.second.find(RRType::CNAME()));
			
 
				     const FoundIterator wti(found.second.find(type));
			
 
				 
			
 
				-    if (!is_origin && (options & FIND_GLUE_OK) == 0 &&
			
 
				+    if (!is_origin && (options & FIND_GLUE_OK) == 0 && type != RRType::DS() &&
			
 
				         nsi != found.second.end()) {
			
 
				         // A NS RRset was found at the domain we were searching for.  As it is
			
 
				         // not at the origin of the zone, it is a delegation and indicates that
			
 
				         // this zone is not authoritative for the data. Just return the
			
 
				-        // delegation information.
			
 
				+        // delegation information, except:
			
 
				+        // - when we are looking for glue records (FIND_GLUE_OK), or
			
 
				+        // - when the query type is DS (which cancels the delegation)
			
 
				         return (logAndCreateResult(name, wildname, type, DELEGATION,
			
 
				                                    nsi->second,
			
 
				                                    wild ? DATASRC_DATABASE_WILDCARD_NS :
			
--- a/src/lib/datasrc/tests/database_unittest.cc
+++ b/src/lib/datasrc/tests/database_unittest.cc
@@ -142,9 +142,11 @@ const char* const TEST_RECORDS[][5] = {
 
				     {"delegation.example.org.", "NS", "3600", "", "ns.example.com."},
			
 
				     {"delegation.example.org.", "NS", "3600", "",
			
 
				      "ns.delegation.example.org."},
			
 
				-    {"delegation.example.org.", "DS", "3600", "", "1 RSAMD5 2 abcd"},
			
 
				+    {"delegation.example.org.", "DS", "3600", "", "1 1 2 abcd"},
			
 
				     {"delegation.example.org.", "RRSIG", "3600", "", "NS 5 3 3600 "
			
 
				      "20000101000000 20000201000000 12345 example.org. FAKEFAKEFAKE"},
			
 
				+    {"delegation.example.org.", "RRSIG", "3600", "", "DS 5 3 3600 "
			
 
				+     "20000101000000 20000201000000 12345 example.org. FAKEFAKEFAKE"},
			
 
				     {"ns.delegation.example.org.", "A", "3600", "", "192.0.2.1"},
			
 
				     {"deep.below.delegation.example.org.", "A", "3600", "", "192.0.2.1"},
			
 
				 
			
@@ -156,6 +158,11 @@ const char* const TEST_RECORDS[][5] = {
 
				 
			
 
				     {"below.dname.example.org.", "A", "3600", "", "192.0.2.1"},
			
 
				 
			
 
				+    // Insecure delegation (i.e., no DS at the delegation point)
			
 
				+    {"insecdelegation.example.org.", "NS", "3600", "", "ns.example.com."},
			
 
				+    {"insecdelegation.example.org.", "NSEC", "3600", "",
			
 
				+     "dummy.example.org. NS NSEC"},
			
 
				+
			
 
				     // Broken NS
			
 
				     {"brokenns1.example.org.", "A", "3600", "", "192.0.2.1"},
			
 
				     {"brokenns1.example.org.", "NS", "3600", "", "ns.example.com."},
			
@@ -2201,6 +2208,38 @@ TYPED_TEST(DatabaseClientTest, findDelegation) {
 
				                  DataSourceError);
			
 
				 }
			
 
				 
			
 
				+TYPED_TEST(DatabaseClientTest, findDS) {
			
 
				+    // Type DS query is an exception to the general delegation case; the NS
			
 
				+    // should be ignored and it should be treated just like normal
			
 
				+    // authoritative data.
			
 
				+
			
 
				+    boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
			
 
				+
			
 
				+    // DS exists at the delegation point.  It should be returned with result
			
 
				+    // code of SUCCESS.
			
 
				+    this->expected_rdatas_.push_back("1 1 2 abcd"),
			
 
				+    this->expected_sig_rdatas_.push_back("DS 5 3 3600 20000101000000 "
			
 
				+                                         "20000201000000 12345 example.org. "
			
 
				+                                         "FAKEFAKEFAKE");
			
 
				+    doFindTest(*finder, Name("delegation.example.org."),
			
 
				+               RRType::DS(), RRType::DS(), this->rrttl_, ZoneFinder::SUCCESS,
			
 
				+               this->expected_rdatas_, this->expected_sig_rdatas_,
			
 
				+               ZoneFinder::RESULT_DEFAULT);
			
 
				+
			
 
				+    // DS doesn't exist at the delegation point.  The result should be
			
 
				+    // NXRRSET, and if DNSSEC is requested and the zone is NSEC-signed,
			
 
				+    // the corresponding NSEC should be returned (normally with its RRSIG,
			
 
				+    // but in this simplified test setup it's omitted in the test data).
			
 
				+    this->expected_rdatas_.clear();
			
 
				+    this->expected_rdatas_.push_back("dummy.example.org. NS NSEC");
			
 
				+    this->expected_sig_rdatas_.clear();
			
 
				+    doFindTest(*finder, Name("insecdelegation.example.org."),
			
 
				+               RRType::DS(), RRType::NSEC(), this->rrttl_, ZoneFinder::NXRRSET,
			
 
				+               this->expected_rdatas_, this->expected_sig_rdatas_,
			
 
				+               ZoneFinder::RESULT_NSEC_SIGNED,
			
 
				+               Name("insecdelegation.example.org."), ZoneFinder::FIND_DNSSEC);
			
 
				+}
			
 
				+
			
 
				 TYPED_TEST(DatabaseClientTest, emptyDomain) {
			
 
				     boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());